Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b8e0a202ffb92802…

MALICIOUS

Office (OLE)

83.0 KB Created: 2005-07-29 13:30:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 494778d280da6d75ea463ebf361a8478 SHA-1: ae2050bd595eebd86298381ebe2640f66f354f63 SHA-256: b8e0a202ffb92802d2041a1cb4e9f692458edab76e147a178eef97418dc97797
628 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious Microsoft Word document exploiting CVE-2008-2244 to deliver a PE executable. The embedded executable, detected as Win.Trojan.Agent-149457 by ClamAV, is likely the primary payload. The VBA macro, while present, contains no executable statements and appears to be a decoy or remnant, but the presence of API calls like WinExec, CreateProcess, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, LoadLibrary, and GetProcAddress within the document's structure strongly suggests the embedded executable will be loaded and executed in memory, potentially by the exploit itself.

Heuristics 13

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Win.Trojan.Agent-149457 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-149457
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBX)
    Disassembly
    Attempted x86 opcode disassembly
    00001C46  e800000000        call 0x1c4b
00001C4B  5b                pop ebx
00001C4C  81eba6104000      sub ebx, 0x4010a6
00001C52  e909010000        jmp 0x1d60
00001C57  47                inc edi
00001C58  657450            je 0x1cab
00001C5B  726f              jb 0x1ccc
00001C5D  634164            arpl word ptr [ecx + 0x64], ax
00001C60  647265            jb 0x1cc8
00001C63  7373              jae 0x1cd8
00001C65  004c6f61          add byte ptr [edi + ebp*2 + 0x61], cl
00001C69  644c              dec esp
00001C6B  69627261727941    imul esp, dword ptr [edx + 0x72], 0x41797261
00001C72  005769            add byte ptr [edi + 0x69], dl
00001C75  6e                outsb dx, byte ptr [esi]
00001C76  45                inc ebp
00001C77  7865              js 0x1cde
00001C79  6300              arpl word ptr [eax], ax
00001C7B  53                push ebx
00001C7C  6c                insb byte ptr es:[edi], dx
00001C7D  65657000          jo 0x1c81
00001C81  43                inc ebx
00001C82  6f                outsd dx, dword ptr [esi]
00001C83  7079              jo 0x1cfe
00001C85  46                inc esi
00001C86  696c654100437265  imul ebp, dword ptr [ebp + 0x41], 0x65724300
00001C8E  61                popal
00001C8F  7465              je 0x1cf6
00001C91  46                inc esi
00001C92  696c654100536574  imul ebp, dword ptr [ebp + 0x41], 0x74655300
00001C9A  46                inc esi
00001C9B  696c65506f696e74  imul ebp, dword ptr [ebp + 0x50], 0x746e696f
00001CA3  657200            jb 0x1ca6
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 84,992 bytes but its declared streams total only 18,417 bytes — 66,575 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 369 bytes
SHA-256: 0a0073e6700d52a50d0c1e9ea0537e97be4dbdf563f1ead10aa7aa70adf4375d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "PropertyTreeCtl1, 0, 0, PROPERTYTREELib, PropertyTreeCtl"
embedded_office_00005c00.exe embedded-pe Office MZ+PE at offset 0x5C00 61440 bytes
SHA-256: 3c2c92f24ecbd58cca9a843e8a509f96344e32ecfa759d63a00ab0156840500f
Detection
ClamAV: Win.Trojan.Agent-149457
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.